WP admin username is leaked via Form fields ???

  • Resolved eugene212

    (@eugene212)


    4 years, 2 months ago

    After looking through web access logs to see for possible malicious activities, I found some dubious requests that would reveal in plain text the WP administrator username – this is very disturbing!

    Currently I have disabled the plugin and changed the username, but looks like that Forminator requires a safety fix…

    The web request that leaked security information was like this:
    https://mysite.domain/booking/?unapproved=4587&moderation-hash=236a4e1426d14043a660a38731e7c98c

    Please advise !

    N.B. If needed, I made a screenshot of the form where username is shown in the ‘Name’ and ‘Phone’ fields.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter eugene212

    (@eugene212)

    It might be a “false alarm” (my apologies if it is the case) – the saved HTML copy of booking form page (with username shown in a couple of fields) has “wfd-id” tags apparently used by Kaspersky Password Manager when browser renders the page, so it might be the case of the password manager (unexpectedly) auto-filling these fields, although one of the filled fields was ‘Phone’ which does not make much sense to me. Pity that I did not check the behaviour on other devices without password manager…

    I hope it is the case, so I will re-enable Forminator and keep an eye on further logs/behaviour.

    Thread Starter eugene212

    (@eugene212)

    Just to follow-up: it was indeed a separate PC program (password manager) that was auto-filling a couple of fields in the Forminator form (proved by either disabling password manager or requesting form using a device without password manager).

    All good!

    Plugin Support Williams – WPMU DEV Support

    (@wpmudev-support8)

    Hi @eugene212

    I hope you’re well today and I apologize for the delayed response on our end!

    I’m glad to hear that you’ve managed to sort the issue out, thanks for letting us know.

    Best regards,
    Adam

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WP admin username is leaked via Form fields ???’ is closed to new replies.